Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Improvement]: BSI compliant password standards #17053

Open
twocream opened this issue May 15, 2024 · 3 comments
Open

[Improvement]: BSI compliant password standards #17053

twocream opened this issue May 15, 2024 · 3 comments
Labels
Improvement PR Welcome

Comments

@twocream
Copy link

Improvement description

The german administration for security in information technology (BSI) recommend a higher password policy than pimcore have at the moment.

BSI recommendations:

Short and more complex Passwords:

  • 8 to 12 chars long
  • One or more upper case, lower case, number and special sign

Longer and less complex Passwords:

  • minimum of 25 chars long
  • containing minimum two types of signs

BSI INFO PDF

Should we implement this in Pimcore?
@brusch
Copy link
Member

brusch commented May 16, 2024

I think this would be fine as it won't break anything. If you create a PR you should also consider the password generator 😊 Thanks in advance

@NiklasBr
Copy link
Contributor

This is not compatible with modern NIST guidelines. Appendix A1 contains a good explanation in that link as well.

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

And the person who came up with the recommendations which BSI's look a lot like is now recommending against them.

NCSC also recommends against complexity rules:

Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks. It places an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria. […] For the above reasons, the NCSC do not recommend the use of complexity requirements when implementing user generated passwords.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 6, 2024

Thanks a lot for reporting the issue. We did not consider the issue as "Pimcore:Priority", "Pimcore:ToDo" or "Pimcore:Backlog", so we're not going to work on that anytime soon. Please create a pull request to fix the issue if this is a bug report. We'll then review it as quickly as possible. If you're interested in contributing a feature, please contact us first here before creating a pull request. We'll then decide whether we'd accept it or not. Thanks for your understanding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement PR Welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brusch @NiklasBr @twocream